The practical application of the technique of Internet Protocol (IP) network has become more and more popular with its ceaseless development. The IP network has gradually started to bear services with the quality of service and security requirement of telecommunication level. Therefore, the security of the IP network has attracted more and more attention.
It is known to all that the IP network is a network without the guarantee for security. Such insecurity is due to the adoption of a connectionless oriented architecture of the IP network. An end-to-end communication using a connection oriented manner can not be implemented until an end-to-end connection is built by signaling and network physical or logical resources are allocated. In contrast, an end-to-end communication service using the connectionless oriented manner is performed directly without the need of building a connection by signaling. The key of the security of an end-to-end communication service of telecommunication level is to build a trust relationship between the ends. Such a trust relationship in the connection oriented manner is confirmed when the connection is built while the trust relationship in the connectionless oriented manner is confirmed during the communication.
Multi-protocol Label Switching (MPLS) is a protocol proposed originally for enhancing forwarding speed of routers. The key point of the MPLS protocol is to introduce a label into the field, which just indicates local meaning without any topology information. The label is short so as to be easy to deal with and it can usually be quoted directly with an index. The label has only a local meaning such that it is convenient to be assigned. The MPLS has become an important standard for extending the scale of the IP network increasingly because it has been used in two key techniques in the IP network, i.e., traffic engineering and virtual private network.
The security of the services of telecommunication level cannot be well guaranteed in the present IP network because ordinary services with low demand for security (mainly including Internet services such as web browsing and ordinary query) and services with high demand for security (mainly including the services of telecommunication level such as the services of video on demand and voice etc) are mixed together without effective partition. To sum up, such insecurity mainly lies in that untrustworthy users cannot be prevented from accessing the network bearing the services of telecommunication level because all the services use the same IP network as a bearer, accordingly it is difficult to resist the vicious attack initiated by untrustworthy users.
Separating the ordinary Internet services from the services of telecommunication level is a key technique for building an IP network with guarantee for security. There are several ways of separating the ordinary services from the services of telecommunication level in the IP network in the prior art.
The first is a separation on the physical layer, with which the ordinary Internet services and the services of telecommunication level use different physical media as bearers, respectively. Though services of different levels can be separated well in this manner, the use of physical layer separation is greatly confined and not flexible. Furthermore, it is not practical to divide the IP network on two different physical media.
The second is a separation on the link layer. For example, the services are separated by using the techniques of a Virtual Local Area Network (VLAN), a Permanent Virtual Circuit (PVC) or a Layer 2 Tunneling Protocol (L2TP) etc. Separation can be achieved in the link layer, which is more flexible than the separation in the physical layer. The technique of the VLAN is the most popular separation technique at present, which makes the ordinary Internet services and the services of telecommunication level belong to different VLANs, such that logical separation in the link layer can be achieved. But this technique is usually limited to the application in a Layer 2 access network close to users.
The third is a separation on the network layer, with which the technique of strategic router or the technique of application layer gateway are used to implement separation of the services of different levels. Different services are differentiated according to information of the third or upper layers by using these techniques, and logical separation and distribution of different information flows are performed by means of an access control list, achieving the objective of separating the services. Though this method is more flexible, it still adopts the connectionless oriented manner.
When using the above methods in practice, illegal users cannot be effectively prevented from accessing the logical bearer network for the services of telecommunication level, therefore the security of the services of telecommunication level cannot be guaranteed.